Using Checks

The Checks page gives a structured security view for IAM/IT and security teams of how your company complies with best-practice configuration recommendations (“checks”) relating to identity misconfiguration, stale access, and over-privileging. This page shows a catalog of security checks that provide visibility into the preventative security posture of your applications and systems.

For example, the Enable MFA (Multi-factor Authentication) for All Users check shows the level of MFA enrollment within the organization.

See also:

  • The complete list of available CID Checks

  • The complete list of available ITP/PCCE Checks

Onboarding Process

The onboarding process does not require additional permissions. Start by updating check severities if necessary and disabling irrelevant checks.

To effectively engage with the Identity Posture functions, begin by exploring the Apps Overview page to identify the most vulnerable applications. Proceed to the posture page filtered by the specific application, review all failed checks, and address them individually based on their severities, categories or compliance frameworks. See Using Apps Overview.

Viewing the Checks Page

From the left navigation, select Identity Posture > Checks.

On the Checks page, each row represents a different check that Delinea Platform runs. These checks are based on instances of applications that are integrated with the platform.

By default, the page is sorted in descending order by check severity. You can change the sort order by clicking a column heading.

The checks are divided into categories to streamline management:

  • AI Security — Misconfigurations that expose AI services, models, or agents to unauthorized access, data leakage, or prompt-based abuse.

  • Stale Access — Identities, credentials, or permissions that remain active despite being unused, dormant, or no longer needed by their owners.

  • Authentication — Weak or missing authentication controls such as disabled MFA, weak password policies, and insecure sign-in configurations.

  • Privilege Escalation — Configurations that allow an identity to elevate its permissions beyond its intended scope, granting unintended administrative access.

  • Key Management — Improperly stored, rotated, or protected cryptographic keys, secrets, and certificates that increase the risk of compromise.

  • Privileged Access — Over-permissioned, unmanaged, or unprotected privileged accounts and roles that lack proper safeguards like vaulting, rotation, or just-in-time access.

The table displays basic information and the compliance frameworks relevant to each check. The Results Count column displays the number of entities (Affected Entities) that failed the check.

Best Practices for Checks

For best results, follow these recommendations.

  • Have a posture score of at least 90% for each application.

  • Solve all high severity checks within a week, medium severity checks within two weeks, and low severity checks within a month.

  • Regularly monitor the posture pages and posture scores for your connected applications to identify configuration drifts and degraded checks. Review once a week to detect any misconfigurations in a timely manner.

  • Engage your app owners in reviewing and addressing any misconfigurations.

Diagnosing Issues with the Checks Side Panel

On the Checks page, click any row in the table. The Checks side panel opens, displaying more information about the check.

General Tab

On the General tab, the Description includes the function of the check and the security motivation for remediating the Affected Entities.

Disable a Check

To disable a check, click Disable.

Disabling a check decreases your overall identity posture score. Click Disable only If your organization is unable to follow the best-practice recommendations, and is willing to accept the risk of a misconfiguration.

Change a Check's Severity

To change the severity of a check, select a different setting from the Severity drop-down menu.

Affected Entities Tab

The Affected Entities tab displays each affected entity. Click any entity to expand its panel, where you can view the detailed Description and the remediation Recommendation.

Vault an Affected Entity or Exclude it from a Check

Excluding an Affected Entity from a check can change the status of the check; for example, if all entities are excluded, the check will always pass.

To exclude a specific Affected Entity from a check:

  1. Click the entity to expand its panel.

  2. On the desired entity, hover your cursor to the left of the up caret, click the three dots, then select More actions.

  3. Select Exclude from the drop-down menu. Excluded entities are moved to the Excluded list.

To vault an unvaulted Affected Entity, select Vault account credentials.

Remediation Steps Tab

The Remediation Steps tab lists the steps recommended to remediate a failed check.

Grouping

You can now group results on the Identity Posture Checks page by check name, giving you a clearer, organized view of every check the platform supports — including those that currently have no findings.

This view makes it easy to:

  • See the full catalog of available checks at a glance.

  • Quickly identify which checks are active, which have findings, and which are passing across your environment.

  • Navigate large result sets without losing context.

When to use: When you want a high-level view of your overall check coverage, or when reviewing posture across multiple applications and instances.

Bulk Actions

Once results are grouped, you can apply bulk actions to update multiple checks in a single click — either across an entire group or on individually selected checks.

Supported bulk actions:

  • Update severity: re-prioritize multiple checks at once based on your organization's risk model.

  • Update status: change the state of multiple checks (for example, acknowledge, mute, or reopen).

When to use: When you need to re-tune your posture program — for example, after a risk-tier review, an organizational change, or onboarding a new application — without clicking through each check individually.

Consolidated CSV Report

You can now download a consolidated CSV report that includes affected entities from multiple checks and applications in a single file.

Previously, sharing posture findings externally required exporting and combining multiple CSVs. With consolidated export, you can:

  • Share all affected entities for a given check across every instance in one report.

  • Combine findings from multiple checks and applications into a single deliverable.

  • Hand off remediation work to other teams, auditors, or external stakeholders without manual file merging.

When to use: When sharing posture findings with teams that don't have direct platform access — application owners, auditors, compliance reviewers, or executive stakeholders.